From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Wed, 16 Jan 2002 21:28:25 +0000 (+0000)
Subject: o when invoking the mailer as root use a hard-coded environment that
X-Git-Tag: SUDO_1_6_5~6
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=261f8190739a049d3adf0821f481c3cff8a0e5c2;p=sudo

o when invoking the mailer as root use a hard-coded environment that
  doesn't include any info from the user's environment.  Basically
  paranoia.

o Add support for the NO_ROOT_MAILER compile-time option and run the
  mailer as the user and not root if NO_ROOT_MAILER is defined.
---

diff --git a/logging.c b/logging.c
index e0456379b..56f15b6a9 100644
--- a/logging.c
+++ b/logging.c
@@ -439,6 +439,15 @@ send_mail(line)
     char *p;
     int pfd[2], pid, status;
     sigset_t set, oset;
+#ifndef NO_ROOT_MAILER
+    static char *root_envp[] = {
+	"HOME=/",
+	"PATH=/usr/bin:/bin",
+	"LOGNAME=root",
+	"USER=root",
+	NULL
+    };
+#endif
 
     /* Just return if mailer is disabled. */
     if (!def_str(I_MAILERPATH) || !def_str(I_MAILTO))
@@ -493,9 +502,17 @@ send_mail(line)
 		/* Close password file so we don't leak the fd. */
 		endpwent();
 
-		/* Run mailer as root so user cannot kill it. */
+		/*
+		 * Depending on the config, either run the mailer as root
+		 * (so user cannot kill it) or as the user (for the paranoid).
+		 */
+#ifndef NO_ROOT_MAILER
 		set_perms(PERM_FULL_ROOT, 0);
+		execve(mpath, argv, root_envp);
+#else
+		set_perms(PERM_FULL_USER, 0);
 		execv(mpath, argv);
+#endif /* NO_ROOT_MAILER */
 		_exit(127);
 	    }
 	    break;